{"id":"CVE-2019-8341","details":"An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the \"source\" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing","modified":"2026-05-18T05:52:15.590033555Z","published":"2019-02-15T07:29:00.257Z","related":["SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-SU-2019:1156-1","SUSE-SU-2019:1554-1","SUSE-SU-2020:3096-1","SUSE-SU-2020:3897-1","openSUSE-SU-2019:1395-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"last_affected":"15.0"},{"last_affected":"42.3"}],"source":"CPE_FIELD","vendor_product":"opensuse:leap","cpes":["cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*","cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*"]}]},"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00030.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00064.html"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1677653"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1125815"},{"type":"PACKAGE","url":"https://github.com/JameelNabbo/Jinja2-Code-execution"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/46386/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pallets/jinja","events":[{"introduced":"0"},{"last_affected":"7c3b7ca95cb17589dd64fddc957035336180b90d"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:pocoo:jinja2:2.10:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"last_affected":"2.10"}]}}],"versions":["2.10.x","2.10.3","2.10.2","2.10.1","2.10","2.9","2.8","2.7","2.6","2.5.3","2.5.1","2.5","2.4.1","2.4","2.3","2.2.1","2.2","2.1.1","2.1","2.0","2.0rc1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-8341.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}